FirstBlood-#1127 — Reflected XSS
This issue was discovered on FirstBlood v3
On 2022-12-08, pichik Level 4 reported:
hope you are doing well, thanks for the next event.
My first bug is reflected XSS in
/doctors.phpendpoint. There is parameter
doctorwhich is reflected in between <script> tags.
Didnt find any better impact yet so reporting just simple alert.
We just need to escape ' and separate our code, so it wont throw error. Here is payload with simple alert : ';alert(1);'
As I found a way in, Iam increasing impact for this bug as it can be used in a way as my
#1335report. Attacker can use this bug to append cookies to url, send them to his server and steal accounts of doctors. Payload:
ACCOUNT TAKEOVER POC LINK:
HTML Encoding user entered input should prevent XSS easily.
FirstBlood ID: 47
Vulnerability Type: Reflective XSS
The endpoint /doctors.php is vulnerable to reflective XSS via the ?doctor= parameter